Hi all, I am researching the window.crypto.generatedCRMFRequest() function available on FireFox (I am using FF 2.0.10). Now, if requested keys are for signing - everything looks good. But if requested keys are for key exchange (e.g. "rsa-ex"), the generated CRMF request structure has a number of issues.
Here are the issues I am facing: 1) A PKIArchiveOptions control is included (http://www.ietf.org/rfc/ rfc4211.txt, section 6.4). The EncryptedKey structure in it is encoded as a SEQUENCE while it actually is a CHOICE. Our CRMF decoder is throwing as soon as it sees this structure. Shall I raise a bug ? 2) The EncryptedKey is encoded as the now deprecated EncryptedValue structure. Is there a plan to encode the value with EnvelopedData structure any time soon ? 3) Finally, the ProofOfPossession structure looks broken in this scenario as what we see is: A2 05 80 03 00 03 00, which does not seem to relate to any of the permitted options desrcibed in RFC 4211, section 4. FYI: If CRMF request contains cert request for a signing key pair the ProofOfPossession is valid (a correct instance of POPOSigningKey) and is correctly verified by our decoder. Does anyone know if these issues have been addressed in FF 3.5 and if not, will they be addressed in the next releases of FF ? Many thanks in advance, Nikolai Koustov. _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
